securing, protecting, and managing the flow of...

Securing, Protecting, and Managing the Flow of Corporate CommunicationsGetting mailflow right

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

Dave StorkTechnical Consultant

OGD ict-diensten

QR: URL to Presentation

Who am I?Dave Stork• Technical consultant @ OGD ict-diensten

• Based in The Netherlands (EU)

• Microsoft Office Apps and Services MVP• Mail: dave.stork@ogd.nl

• Twitter: @dmstork

• Blog: https://dirteam.com/dave

Interesting Facts:

• Science & Sci-Fi nut• I co-wrote/tech reviewed books!

• www.practicalpowershell.com

Topics•A short SMTP intro

•Filtering mail

•Securing mail transport

•Encrypting mail

•Spoofing and how to mitigate

•Q & A

A short SMTP intro

Definitions• Banner

• EHLO/HELO

• EHLO Response

• MAIL FROM:

• RCPT TO:

• DATA• Includes mail headers

Received: from dc10 (10.0.10.10) by mail.lab2010.com (10.0.10.20) with Microsoft SMTP Server id 14.3.301.0; Mon, 23 Apr 2018 11:00:19 +0200

From: <ditisnep@sppoooof.com>

Subject: spoof test

To: administrator@lab2010.com;

Return-Path: bounce@bounce.contoso.com

Message HeadersSMTP delivery

Filtering mail

Filtering mailSome spam filtering concepts:

• Recipient filtering

• Tar pitting

• Reverse DNS

• Connection/content filtering...

Filtering mailBest practice: Use a cloud provider!

• Exchange Online Protection, MessageLabs, Etc.

• They take care of most things faster than most admins

• It’s an arms race; machine learning based on big data

Securing mail transport

SMTP TLS TransportOpportunistic TLS

• Best effort encryption: fallback to lower or unencrypted SMTP

• Certificate based

• EHLO response with server FQDN; i.e. mail.contoso.com

• Certificate name must be equal to EHLO

• Certificate does not have to be trusted

SMTP TLS TransportMutual TLS / Domain Security

• Forced authentication & encryption: no fallback

• Configured per mail domain (connectors for each domain)

• Trusted certificate with name corresponding with EHLO

SMTP TLS TransportDANE

• DNS-Based Authentication of Named Entities (DANE); RFC7672

• Ensures mail server target found in DNS is correct (and not spoofed via DNS cache poison etc)

• DNSSEC required

• Prevents downgrade attacks of SMTP TLS (for instance due to MitM attack)

• No Trusted Certificate required

SMTP TLS TransportWhat is SMTP Strict Transport Security?

• Uses DNS to check list of valid public keys of certificate: • TXT record under _smtp_sts.contoso.com

• Checks certificate with list & Certificate Authority + Trust-on-First-Use

• Failure reporting & handling

• No DNSSEC required: little bit less secure as DANE

Can we use it?

• Currently a protocol draft at the IETF: draft-margolis-smtp-sts-00

Encrypting mail

S/MIMEUser level signing or signing and encryption of individual mails

• Sender & receiver require each others public key before encryption is possible

• Limited client compatibility

• Cumbersome configuration and required on each client

• Solutions that change content of mail will break S/MIME

PGP has a comparable experience

Office 365 Message Encryption (OME)Sending encrypted mail messages

• Fully based on Rights Management Services/Information Protection

• Mail is encrypted and sent to external recipient

• Partner opens mail• When on O365: auto decrypted

• When on other: “hosted” on O365 for viewing using OTP, other idP(Google, Yahoo, MSA).

Lot of other solutions with similar experience (i.e. Egress, open source)

Spoofing and how to mitigate

What is spoofing?The creation of email messages with a forgedsender address

Organizational mitigations:•SPF•DKIM•DMARC

Results in Authenticated mail

Received: from dc10 (10.0.10.10) by mail.lab2010.com (10.0.10.20) with Microsoft SMTP Server id 14.3.301.0; Mon, 23 Apr 2018 11:00:19 +0200

From: <ditisnep@sppoooof.com>

Subject: spoof test

To: administrator@lab2010.com;

Return-Path: bounce@bounce.contoso.com

RFC5321.From

RFC5322.From

Message HeadersSMTP delivery

What does SPF do?Sender Policy Framework

• Public list of servers that are allowed to mail for yourdomain

• Public as in: Public DNS TXT record

• Recipient servers can check AT CONNECTION whetherincoming IP is on that allow list

• Based on domain from MAIL FROM or EHLO

• Recipient organization may choose to receive, quarantineor reject those mails

SPF SyntaxAction

+ Pass (default, can be omitted)

- Fail

~ Softfail

? Neutral

IP4 Ipv4 address or range

IP6 Ipv6 address or range

A DNS A records for domain

MX DNS MX records for domain

INCLUDE Include spf of other domain

ALL Always matches (catch all).

SPF Syntax• Example

• v=spf1 ip4:87.213.105.253 include:spf.protection.outlook.cominclude:servers.mcsv.net ~all (OGD.nl)

• v=spf1 mx a:www.tweedekamer.nl ip4:213.207.90.158 include:_spf.intermax.nl –all (Tweede Kamer)

• v=spf1 –all (aivd.nl)

• Max 10 DNS lookup, cumulative (include, MX etc. included)

• When Include fails; no negative effect

• Max string length of TXT record is 255 bytes

SPF Caveats• You have to know every mail server that uses your domain

• Mailing services like MailChimp, SaaS

• Legitimate forwarding could be broken

• i.e. Mailinglists

• No protection to From: header spoofing (RFC5322.From)

• Subdomains require explicit SPF record

group@fabrikam.com

dave@contoso.com willem@wingtoys.com

EHLO contoso.comMAIL FROM: dave@contoso.comRCPT TO: group@fabrikam.comFrom: dave@contoso.com

EHLO fabrikam.comMAIL FROM: dave@contoso.comRCPT TO: willem@wingtoys.comFrom: dave@contoso.com

Mitigation in Fabrikam could be Sender Rewriting Schemebounces+SRS=#as#=12000000=contoso.com=dave@fabrikam.com

SPF Caveats: forwards

What does DKIM do?DomainKeys Identified Mail

• Signs messages leaving the organization

• Private/Public Key construction• Signed with Private Key• Recipient organization verifies with Public Key

• Public Key information in public DNS record

• This way recipients know:• Domain owner takes responsibility• If message has been changed in transit

DKIM in DNS• <selector>._domainkey.contoso.com

• TXT• Includes public key

• CNAME • Other record, for instance:

selector1-contoso-com._domainkey.contoso.onmicrosoft.com

• You can have multiple selectors either TXT or CNAME

DKIM Syntax

What does DMARC do?Domain-based Message Authentication, Reporting & Conformance

• Checks incoming mail based on RFC5322.From domain• This is what users see in Display Name etc..• Includes results from SPF and DKIM checks

• Sender organization can suggest actions when SPF and/or DKIM fail

• Sender organization can receive reports

• Subdomains can have different policy from main domain

DMARC in DNS• Txt record in the form of “_dmarc.your_domain.com.”

• Subdomain first checks subdomain dns, if not present on subdomain, uses organizational domain. • @service.marketing.ogd.nl >

_dmarc.service.marketing.ogd.nl

• If not existing > _dmarc.ogd.nl

• If no dns record is found, dmarc check is skipped.

Tag Short description Value Required?/default

V Protocol version, for now its version 1 DMARC1 Required

P Policy for organizational domain None, Quarantine, Reject Required

SP Policy for subdomains of the organizational domain

None, Quarantine, Reject Optional, if not explicitly defined SP is same as P

PCT Percentage of messages subjected to filtering 0-100 Optional (default is 100)

FO Reporting options 0,1,d,s Optional

RUF For reporting of forensic reports Mail address Optional (Required if FO= is used)

RUA For reporting of aggregate reports Mail address Optional

ADKIM Alignment mode for DKIM (relaxed or strict) R, S Optional / Default is Relaxed

ASPF Alignment mode for SPF (relaxed or strict) R, S Optional / Default is Relaxed

DMARC Syntax• Example

• v=DMARC1; p=quarantine; ruf=mailto:dmarc_ruf@ogd.nl; rua=mailto:dmarc_rua@ogd.nl; fo=1

• v=DMARC1; p=quarantine; rua=mailto:jxduktlu@ag.dmarcian.com; ruf=mailto:jxduktlu@fr.dmarcian.com; adkim=s; aspf=r; sp=reject; fo=1; pct=100

Putting SPF, DKIM and DMARC together

Client sends mail

Server signs and sends the

InternetServer receives

mail deliver request

SPF check

DKIM check DMARC check

Extra filtering or delivery

1. Client sends a mail2. Server signs with DKIM and sends the mail

over the internet

3. Receiving server gets a connection request to accept mail4. Starts with a SPF check5. Simultaneously starts a DKIM check6. Then starts with the DMARC check

A. Checks DNS for DMARC policyB. Checks the results of the SPF (RFC5321.from) and DKIM (d=) with RFC5322.FromC. Applies DMARC policy according to the DNS record

7. If everything passes (depending on policy) the mail gets delivered to the receiving client or is subjected to additional filtering

Schematics provided by OGD ict diensten

• Example• v=DMARC1; p=quarantine; ruf=mailto:dmarc_ruf@ogd.nl;

rua=mailto:dmarc_rua@ogd.nl; fo=1

Best practices• Protect all your domains, even if you don’t mail from

them. • SPF: “V=spf1 –all”• DMARC: “V=DMARC1;p=reject”

• Protect your subdomains, even if you don’t mail fromthem• SPF: “V=spf1 –all”• DMARC: Add “sp=reject” on organization domain

Best practices• Implement a process for changes to SPF, DKIM and

DMARC• Make sure every change goes through someone that

knows how it works• Do a regular check to see if SPF, DKIM and DMARC

are still configured correctly

• Demand DKIM from mailing services (Mailchimp and thelike)• If not possible, consider using a subdomain for it;

this way your domain can be kept strict• Use at least 1024 bit strength (default in O365)

Best practices• Make DMARC stricter after a test period.

• 1. P=none, sp=quarantine or reject• 2. P=quarantine, sp=reject• 3. P=reject• Optional: Use pct to limit impact

• Warn users for mailinglists that do not use DKIM and/or do not use Sender Rewrite Scheme.• Forwarding from Outlook or with a mail rule is no

issue as the old mail is attached in new mail.

Not talked about:Alignment:

• DMARC Relaxed vs strict• Relaxed = organizational domain must match (marketing.ogd.nl matches

ogd.nl)

• Strict = FQDN must match (marketing.ogd.nl does not match ogd.nl)

• DKIM Alignment• Make sure that mailing services sign DKIM with correct domain at d=

Authenticated Received Chain (ARC)• ARC preserves email authentication results across subsequent

intermediaries

Questions?

securing, protecting, and managing the flow of...

Documents

mailchimp factsheet

mailchimp mobile

20151022 mailchimp

mailchimp presentation

curso mailchimp

instructions for using mailchimp · instructions for using...

manual: setting up a mailchimp...

[infographic] explaining dkim to your grandmother

campaign overview | mailchimp · campaign overview |...

mailchimp 101

yo!kart multi-vendor marketplace - fatbit technologies ·...

spf, dkim und greylisting - heinlein support

introducción a dkim

20130130 mailchimp

how-to: create a mailing list (a mailchimp story)

email - mailchimp

dkimdkim.org/misc/dkim-perform-en.pdf · 2009. 6. 8. ·...

mailchimp manual

anleitung mailchimp

mailchimp - it learning pods · mailchimp why use...